Essentially, there was an issue between 2.1 and 2.2 which only seems to trigger if your charm has a large config. I believe the issue we encountered it with was nova-compute which shares a certificate with keystone, which can be fairly large.
I do believe the agents can be upgraded even if they are in error. It may require running "juju resolved", but I believe Upgrade supersedes running hooks.
I don't know why you wouldn't have seen it in staging, but maybe you aren't using SSL there? (And thus not generating certificates which then increases the size of relation-data/config?)
I don't believe that --dry-run will tell you much more than what version it would want to upgrade to.
The bug in question is bug #1697936
Essentially, there was an issue between 2.1 and 2.2 which only seems to trigger if your charm has a large config. I believe the issue we encountered it with was nova-compute which shares a certificate with keystone, which can be fairly large.
I do believe the agents can be upgraded even if they are in error. It may require running "juju resolved", but I believe Upgrade supersedes running hooks.
I don't know why you wouldn't have seen it in staging, but maybe you aren't using SSL there? (And thus not generating certificates which then increases the size of relation- data/config? )
I don't believe that --dry-run will tell you much more than what version it would want to upgrade to.